By Jesse Shade, Vice President, Information Technology, Tower MSA Partners
Heightened cybersecurity threats during the COVID-19 pandemic called for tighter security measures that should become best practices that outlive the coronavirus.
The U.S. saw cyberattacks peak on April 7, 2020 with a total of 1,417,827 attacks, according to an Atlas VPN report. Comparing the periods of February 9 – March 9, 2020 to March 10 – April 10, 2020, these attacks jumped by 330%.
Workers’ compensation payers, third-party administrators, ancillary care providers, and Medicare Secondary Payer (MSP) compliance companies store, manage, and transfer massive volumes of personal health information (PHI). This makes them prime targets for cyberattacks.
PHI is 50 times more valuable than financial data on the black market, according to Cybersecurity Ventures. Medical records often contain names, date of birth, and enough other information to establish a false credit account. A single record can sell for more than $60, which is a good 10 times more than credit card information. Plus, unscrupulous actors can perpetrate billing fraud.
Payers and other workers’ compensation organizations need to guard this sensitive data within their own enterprises. And, since these companies regularly exchange data with each other, each company needs to be just as concerned about the cybersecurity practices of its partners as its own.
It’s important to understand how data partner security protocols will stand up to a cyberattack. Here are some measures that should be in place.
The Most Common Cyber Breach Vehicle – Email
The 2019 Verizon Data Breach Incident Report (DBIR) (PDF) says that 94 percent of malware infiltrates systems via email. Here are steps to protect your email system, especially while employers are working remotely:
- Use an SSL (Secure Sockets Layer) certificate or a secure email provider that does, such as Microsoft/Outlook.com
- Require multi-factor authentication for email
- Make sure all software is up to date and all patches installed
- Use a secure virtual private network (VPN) on full tunnel mode. Split tunnels increase risk by allowing allow some traffic to go the remote workers’ IP instead of through the company’s network.
- Ensure that SPF, DKIM and DMARC are properly installed. Standing for Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance respectively, these work together. They help prevent spam, phishing attacks, and email spoofing and increase the quality of your email. A good explanation can be found here.
- Employ Data Loss Prevention technologies to monitor email and warn the user of potential data loss, including account numbers, social security numbers, and bank account numbers
- Use the latest antivirus and antimalware software, preferably customized applications
- Deploy security monitoring of server log files and network traffic
- Protect internet-facing websites with a strong Secure Sockets Layer (SSL) certificate
- Install antivirus on every machine and server
- Maintain an up-to-date breach policy
- Establish a relationship with a third-party security partner in the event of a security incident or breach
- Consider real-time monitoring by an independent third-party party security company
Securing Data Transfer Between Partners
Data transfer poses risks for breaches. While true across all trading partners in the workers’ compensation space, preventing breaches is especially critical for those who exchange data with MSP partners. These companies upload claim data from claims systems and prepare it for Section 111 Mandatory Insurer reporting.
They often identify errors and send feeds back to their clients to provide missing data and correct other issues that would cause the Centers for Medicare and Medicaid Services (CMS) to reject the file. Once the data is accurate, MSP companies upload reports to the CMS’s Centers Benefits Coordination & Recovery Center (BCRC) contractor via Secure File Transfer Protocol (SFTP) or through its secure portal.
Claims data for Medicare Set-Asides (MSAs) transfer in a similar way. CMS has a secure portal and SFTP site that allows users to upload and download documents during the submission process. However, during MSA preparation, documents typically transfer between the client and provider multiple times.
Find out how an MSA provider secures client data by asking the company to:
- Describe their data transfer process and how data is secured. Secure transfer involves the use of secure file transfer protocol (SFTP) or File Transfer Protocol (FTP) over Secure Socket Layers (SSL).
- Discuss how they handle connectivity. Data needs to be encrypted prior to transmission and decrypted after it reaches its destination. Currently, the minimum standard for secure connectivity is TLS 1.2. TLS stands for Transport Layer Security, which is a cryptographic protocol that increases security over computer networks. TLS 1.3 has been out for over a year and companies such as Cloudflare have it available to their customers. However, Microsoft has yet to upgrade its servers to TLS 1.3.
Other questions to ask:
- Is data secure in transit and at rest?
- What security certifications and/or audits do they have? (SOC is the acronym for system and organizational controls. SOC 2 is the security compliance standard for U.S. data and ISO 27001 is the standard for International data.
- Is the MSA company’s cloud provider SOC Type II compliant?
- How do they handle intrusion/infiltration detection? Do they have 24/7 monitoring?
- What are their disaster recovery plans (backup datacenter, etc.)?
- What is their Service Level Agreement (SLA) for being back online?
- Has the MSP/MSA provider undergone an annual SOC 2 audit? Administered by a third party, this assesses security policy, asset management, access control, incident management, privacy policies, encryption, multi-factor authentication, and record retention.
- Is there a disaster recovery plan in place, and how often is it tested? (It should be tested annually.)
Security After COVID-19
While cyberattacks are more prevalent during a crisis, they will be with us always.
Hopefully, workers’ compensation organizations are dealing with cybersecurity issues spurred by COVID-19 constructively. Many deployed technologies they had been planning to use eventually in response to the work from home move.
At this point, workers’ compensation organizations should make sure their networks are as secure as possible and plan for the future. Once things get to some semblance of “normal,” what IT enhancements, services and investments will take place?
The costs of breaches are enormous. The IBM Cost of a Data Breach Report 2019 study conducted by the Ponemon Institute found that the average cost of a data breach in the United States in 2019 was $8.19 million, up from $7.91 million the previous year. Besides the loss of money, companies face losing their reputations and the trust of their clients and customers. Data breaches force some out of business entirely.
You can’t afford to ignore cybersecurity in your own organization or in the organizations of your providers and partners.
About Jesse Shade
An accomplished senior information systems professional, Jesse Shade oversees all aspects of Tower’s technologies, including its data security, systems architecture, disaster recovery, and the maintenance and enhancement of its internal systems for Medicare Set-Asides and Section 111 compliance.
Possessing an unusual blend of interpersonal skills as well as hands-on technical expertise, Shade is responsible for strategic planning and serves on Tower’s executive team. He leads, manages and motivates Tower’s IT staff along with its software and infrastructure projects while also developing the company’s complex technology solutions. His responsibilities include SQL Server development, data modeling, and analysis along with .NET development using Visual Studio 2017, Entity Framework, Bootstrap, HTML, and CSS.
Shade joined Tower in 2018, bringing more than 35 years’ experience in the design and development of technology solutions in a wide variety of industries, including aviation, banking, defense, energy, government, and manufacturing as well as insurance. He is a graduate of the New England Institute of Technology.
Jesse was recently invited to join the Forbes Technology Council – an invitation-only organization for senior-level technology executives.
He can be reached at [email protected]
About Tower MSA Partners
Headquartered in Delray Beach, Florida, Tower MSA Partners provides Medicare Secondary Payer services that focus on settlement optimization via pre-MSA intervention and cost mitigation.
Services include pre-MSA Triage, Medicare Set-Asides, physician peer reviews, drug utilization reviews, CMS submissions, medical cost projections, life care plans, conditional payments, and Section 111 reporting.
Tower leverages leading edge technology to proactively stage claims and works collaboratively with clients to identify issues and intervene to modify outcomes. Tower remains involved in the claims through final resolution, MSA and/or other settlement.
This model enables Tower’s clients to provide better care to injured workers, reduce claim and MSA costs, and obtain CMS acceptance of the MSA. For more information, call 888-331-4941 or visit www.towermsa.com or https://towermsa.com/blog/.